Công văn 758/CNTH8

In the past period, the fact that cybercrime offenders attacking banks' financial systems, especially SWIFT international payment system (hereinafter referred to as SWIFT system), has happened in a complicated manner, caused adverse impacts and influences on operations of banking system.

The Information Technology Department, affiliated to the State Bank of Vietnam, upon the inspection and assessment, finds that the management, operation and use of SWIFT System are facing certain risks. To be specific:

- Risks in processes of SWIFT payment operations: processes of relevant operations in SWIFT System are not formulated or have been available but the enforcement thereof is not strict without the supervision of compliance thereof. For example: lending user account; a SWIFT member only buys 1 concurrent user license or fails to make appropriate arrangement of personnel resulting in that the separation between personnel creating messages and that verifying existing messages is not ensured; conducting irregular comparison and control of messages or failing to carry out careful control, etc.

- Risks in integration and development of SWIFT System;

+ A number of institutions enter into lease contracts with SWIFT payment service providers but fail to take measures for managing and supervising safety and security of such services.

+ A number of institutions carry out the integration of other systems (such as core banking system) into SWIFT System by using connectivity solutions which cannot ensure the authentication resulting in fraudulent messages sent over SWIFT System from a malware or another operational computer.

- Risks in configuration of SWIFT System:

+ There is no limitation on the number of host computers which can be connected to SWIFT Network (SWIFTNet).

+ Fail to set up prior authorization before messages are sent over SWIFTNet.

+ Financial institution still remains a Relationship Management Application (RMA) with institutions who are no longer its counterparties (counterparty’s BIC).

- Authentication of login in SWIFT system and prior authorization of messages: Presently, almost users log in on SWIFT system by using a private username and corresponding password. Therefore, if an institution fails to create a strong password for a user account or application privileged account, it is unable to manage and control the operating system and database of SWIFT System in an appropriate manner resulting in account information leaked and hackers may take advantage of this situation to access swift system for conducting fraudulent transactions and changing database, deleting and/or removing any transactions from the hacked account history, installing illegal software or changing the system configuration, etc.

+ Failing to set up timeout period for SWIFT System or the existing timeout period is so long.

- Risks in human factors: Administrators, operators and users are not disseminated and provided with operational process and training courses in awareness of information security.

- Other risks:

+ Failing to monitor or limit the number of servers performing connection operations to SWIFT System.

+ Servers performing connection operations to SWIFT System may access to Internet or be connected with unsecure network areas; users may install new software and modified software at the level of operating system; failing to install anti-malware software; failing to monitor the connection with peripheral equipment.

The Information Technology Department, affiliated to the State Bank of Vietnam, upon the above-mentioned risk analysis, requests any institutions that are using SWIFT payment system to perform the following duties:

- Adopt processes and regulations for operations of SWIFT system in compliance with the following contents:

+ Regulations on a transaction:

• With regard to manual transactions, a payment transaction is conducted with the participation of at least 3 persons: message creator, verifier and tracker;

• With regard to transactions automatically generated on the core banking system and transmitted to SWIFT System, the Information Technology Department, affiliated to the State Bank of Vietnam, encourages involved institutions to set up the step of verification on SWIFT system before messages are sent to SWIFTNet. If involved institutions set up automatic transmission without going through the verification on SWIFT system, they must check the entire process, infrastructure and assume responsibility for any risks incurred thereof (if any).

+ Checking and comparing information in order to timely discover the variation of information of message between SWIFT System and core banking system of a given institution; or between the SWIFT System of a given institution with its counterparties.

+ Carrying out assignment and determination of duties of administrator, operators and users of SWIFT system.

+ Establishing a division in charge of inspecting and reporting of the compliance with prevailing processes and regulations relating to SWIFT system.

- If an institution is using SWIFT payment services provided by a service provider under lease contract, it should make plan for move the SWIFT system to its base for managing and adopting measures for ensuring information security.

- Doing research and implementing solutions for connectivity between other systems and SWIFT system in order to ensure security, authentication and integrity of a message.

- Checking and optimizing the configuration of SWIFT System for the purpose of improving the security of information in administration and operation of SWIFT system.

- Limiting the number of host computers in SWIFT System which can be connected to SWIFTNet.

+ Evaluating SWIFT System according to KB tip 5020788 - Security Guidance for Alliance and carrying out remedial measures against discovered risks as well as research and implementation of SWIFT’s security guidelines (referred at https://www2.swift.com/uhbonline/books/protected/en_uk/aa_7_1_10_sec_guid/index.htm)

+ Improving the strength in login verification: setting up strength of passwords of user accounts; setting up appropriate timeout period; doing research on OTP or PKI integration for verification of login or transactions.

+ Checking user accounts and managing and/or connecting such accounts to the system for ensuring users’ correct rights, removing all unused accounts, changing passwords of the system’s default accounts and adopting appropriate measures for managing and protecting privileged accounts such as accounts of Profile SuperKey, SuperVisor, MsgEntry, MsgPartner; Administrator/Root of the operating system; accounts for database administration, etc.

+ Checking RMAs and removing unused RMAs.

- Checking and optimizing configuration of relevant systems or adopting security solutions or other services for improving SWIFT system’s information security:

+ Monitoring and limiting the number of servers performing connection operations to SWIFT System and adopting information security measures for these servers. To be specific: locating these servers in a separate secured network area; installing and updating hotfixes and anti-malware software on a regular basis; limiting the internet access; determining rights to user accounts in order that users can use appropriate operational applications and cannot install new software or modified software at the level of operating system; limiting the user of peripheral equipment, etc.

+ Doing research on implementing measures for detecting and preventing fraudulent transactions on SWIFT System; analysis and warning on abnormal transactions on the basis of history of SWIFT System and that of relevant systems.

- Administrators, operators and users of SWIFT System should be provided with training courses in information security in order to how to prevent risks such as discovery of malicious emails and websites, and aware of their responsibility for management and use of user accounts and sensitive information.

The Information Technology Department affiliated to the State Bank of Vietnam hereby requests involved institutions to implement this document.

For further details, please contact the Information Security Division - Information Technology Department, No. 64 Nguyen Chi Thanh Street, Dong Da District, Hanoi City, telephone: 04.38354775, fax: 04.38358135, email: [email protected]./.

Sincerely./.